Re: [PATCH] block: blk_init_allocated_queue() set q->fq as NULL in the fail case

From: Bart Van Assche
Date: Mon Jul 30 2018 - 09:42:18 EST

Next message: weiqi (C): "Re: [Question] load balance move tasks not suitable ?"
Previous message: Marcel Holtmann: "Re: [PATCH v6 3/4] Bluetooth: mediatek: Add protocol support for MediaTek serial devices"
In reply to: Ming Lei: "Re: [PATCH] block: blk_init_allocated_queue() set q->fq as NULL in the fail case"
Next in thread: Jens Axboe: "Re: [PATCH] block: blk_init_allocated_queue() set q->fq as NULL in the fail case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2018-07-30 at 14:11 +-0800, xiao jin wrote:
+AD4- We find the memory use-after-free issue in +AF8AXw-blk+AF8-drain+AF8-queue()
+AD4- on the kernel 4.14. After read the latest kernel 4.18-rc6 we
+AD4- think it has the same problem.
+AD4-
+AD4- Memory is allocated for q-+AD4-fq in the blk+AF8-init+AF8-allocated+AF8-queue().
+AD4- If the elevator init function called with error return, it will
+AD4- run into the fail case to free the q-+AD4-fq.
+AD4-
+AD4- Then the +AF8AXw-blk+AF8-drain+AF8-queue() uses the same memory after the free
+AD4- of the q-+AD4-fq, it will lead to the unpredictable event.
+AD4-
+AD4- The patch is to set q-+AD4-fq as NULL in the fail case of
+AD4- blk+AF8-init+AF8-allocated+AF8-queue().

Reviewed-by: Bart Van Assche +ADw-bart.vanassche+AEA-wdc.com+AD4-

Next message: weiqi (C): "Re: [Question] load balance move tasks not suitable ?"
Previous message: Marcel Holtmann: "Re: [PATCH v6 3/4] Bluetooth: mediatek: Add protocol support for MediaTek serial devices"
In reply to: Ming Lei: "Re: [PATCH] block: blk_init_allocated_queue() set q->fq as NULL in the fail case"
Next in thread: Jens Axboe: "Re: [PATCH] block: blk_init_allocated_queue() set q->fq as NULL in the fail case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]